Djvu
Djvu is ransomware that runs on Microsoft Windows. It has been heavily promoted through crack downloads and adware bundles. The ransomware is a variation of STOP. It is the 17th variant in the family. Payload When these cracks are installed, the main installer will be installed as %LocalAppData%\guid\random.exe and executed. This program is the main ransomware component and will first download the following files to the same folder: %LocalAppData%\guid\1.exe %LocalAppData%\guid\2.exe %LocalAppData%\guid\3.exe %LocalAppData%\guid\updatewin.exe When executed, 1.exe will execute various commands that remove the definitions for Windows Defender and disable various functionality. This executable will also execute a PowerShell script called Script.ps1, which disabled Windows Defender's real-time monitoring using this command: Set-MpPreference -DisableRealtimeMonitoring $true The ransomware will then execute 2.exe, which adds numerous security sites and download sites to the Windows HOSTS file so that victims are unable to connect to them for help. The ransomware will now begin to encrypt the files on the computer and at the same time execute the updatewin.exe. Updatewin.exe will display a fake Windows Update screen in order to distract the user while their files are being encrypted and to make it seem normal that disk activity has increased. After the ransomware has finished encrypting files, it will display a message saying this: ------------------------ ALL YOUR FILES ARE ENCRYPTED ------------------------ Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information Don't try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 72 hours. --------------------------------------------------------------------------------- To get this software you need write on our e-mail: helpshadow@india.com Reserve e-mail address to contact us: helpshadow@firemail.cc Your personal ID: ******************************************** Variants * Djvus: It came out right before the New Year. While virus developers haven't changed the virus much, the email address is nowrestoredjvu@firemail.cc. In addition, the virus is still offering 50% discount for those who contact its developers within 72 hours. People have reported about numerous cases when they found this virus on their computer system, cloud services and even hard drives which were connected to the compromised system without much thinking. While some versions of STOP ransomware can be decrypted, this is not applied to Djvus. * Djvuu: It was discovered back in December 2018. As the name suggests, it is appending the previously mentioned extension to affect users' personal data. The ransom note displayed in a text file is still named _openme.txt and displays the message encouraging victims to contact these criminals via email and contact addresses: restoredjvu@india.com and restoredjvu@firemail.cc. Djvuu is not decryptable. The virus is using RSA encryption method to make files useless. The private keys are stored on hackers' servers. * Uudjuv: It is a slightly different version of the same Djvu virus that appears on the targeted system by using the common PirateBay setup window and this way attempts to steal user's credentials from various accounts to use them in later scams. Developers created this variant without a ransom demand but files on the computer still get encrypted by using AES and RSA mix. The affected part of files is marked with .uudjvu file appendix. * Djvuq: It is one of the versions that are more similar to the initial Djvu virus. It also encrypts files using the algorithm and marks encoded photos, documents or even archives with .djvuq at the end. Ransom note, in this case, also gets placed in the _openme.txt file with the discount deal on the ransom and previously used contact emails restoredjvu@india.com and restoredjvu@firemail.cc. * Udjvuq: It also appeared in December 2018 following previous identical versions. Cybercriminals behind the threat still focus on the encryption and file marking process with extortion purpose. However, ransom note states about the only way to recover the files – pay up. According to developers, other decryption tools cannot give the user the needed results. * Tfude: It is one of the numerous versions of Djvu. Being split into several versions as well (.tfude, .tfudeq, .tfudet), the virus is actively trying to overcome computers' protection and install its malicious executable. Once active, malware encrypts files and drops _openme.txt ransom note. Unfortunately, even if the user's computer is offline, the virus can still continue the encryption of their files. Additionally, cybercriminals are asking to use pdfhelp@india.com or pdfhelp@firemail.cc email addresses to reach them for files' decryption. However, making any contact with these criminals can result in money loss. * Pdff: It also uses AES encryption algorithm to encrypt files and was first spotted in January 2019 attacking computer users from the Middle-East. Nevertheless, the ransom note _openme.txt remains to be written in English language and contain almost identical text that is typical for Djvu file virus infection. However, this time crooks ask users to contact them with the help of pdfhelp@india.com and pdfhelp@firemail.cc email addresses. Another difference from the previous variants seems to be the file extension that is added – .pdff. * Tro: It was observed on the web just a day after Pdff came out. It was spotted being distributed with the help of cracks, keygens or bundled software that includes adware applications. As soon as the virus enters the machine, it encrypts all the available data (skipping system files) with the help of a secure encryption algorithm and adds .tro file extension. This time it seems that the extension is the only difference compared to its previous versions, as the ransom note is called _openme.txt and the contact emails are pdfhelp@india.com and pdfhelp@firemail.cc. * Adobe: It has first been introduced by an infamous Dharma ransomware. However, Djvu ransomware has also started using this extension after encrypting victim's files and making them useless. After some time, it was changed to .adobee. The virus is still using pdfhelp@firemail.cc as the default email address which should be used by victims to contact hackers for the ransom. * Adobee: It is familiar with Adobe, however, with two e's (Adobee). It has the same operating principle. Once installed, the ransomware virus injects malicious content in the system and performs the encryption. After that, files appear with the .adobee appendix and are blocked from any access. Additionally, Adobee ransomware, just like other Djvu versions, provides a ransom message named _openme.txt. The note shows up in the Notepad. Crooks urge for some money in order to receive the decryption tool. They provide pdfhelp@india.com and pdfhelp@ firemail.cc email addresses as a way to make contact. * Blower: It can enter the PC secretly just like others of its kind, for example, through infected hyperlinks, harmful attachments, etc. Once it is installed, rogue and harmful content is injected into the system and malicious activities such as data encryption are performed. Blower appends the .blower file extension to each encrypted file. This ransomware virus is capable of locking all kinds of data such as images, audio files, video, text documents, databases, excel sheets, powerpoint, and others. Once the encryption is performed, crooks notify their users through a text message named _readme.txt. Two emails are provided in this message: blower@india.com, blower@firemail.cc. * Norvas: It is a crypto malware that is using the same _readme.txt ransom note to swindle the money from users worldwide. It is an easy task because before that the virus changes the code of target files and then appends the special extension called .norvas to every piece of data that was affected. In this case, files become useless and cannot be used as previously. The developers of Norvas ransomware can be reached via vengisto@india.com and vengisto@firemail.cc email addresses. They also offer to provide the 50% discount for the ransom if they are contacted within 24 hours. * Grovat: is using AES-256 encryption code to make users' data useless. Additionally, the victim is required to make a special payment to a secret bitcoin wallet in exchange for the decryption code. Email addresses users are typically pointed to are called either merosa@india.com or merosa@firemail.cc. These addresses should be used to contact cyber criminals and get the bitcoin address for the payment. To generate a unique identifier along with the decryption code assigned for each user, malware contacts its C&C server. The ransom note is called like any other used by other Djvu versions – _readme.txt. * Verasto: It was first spotted at the end of April 2019 and, since its release, it has been infecting hundreds of users all over the world, remains one of the most prevalent Djvu virus variants to date. Just as its predescessors, Verasto uses various propagation techniques, including, spam emails, exploits, software cracks or keygens, fake updates, backdoor, and etc. After its infiltration, the malware scans the device looking for a variety of most popular file types, such as .jpg, .mpeg, .xlsx, .html, .zip, .php, and others, and appends .verasto markings. * Meds: It is a variant that adds the ".meds" extension to all encrypted files, for example, it renames a file named "1.jpg" to "1.jpg.meds" and so on. Meds is designed to create a ransom note which is the "_readme.txt" file. * Domn: It is a variant that uses an altered encryption process was recently altered and the initial algorithm slightly changed.Category:Ransomware Category:Microsoft Windows Category:Win32 Category:Win32 ransomware Category:Trojan Category:Win32 trojan